Log Review Expert-Enhanced Machine Learning Upgrade

This document is intended for early-access customers, and it is updated as Log Review upgrades are enhanced.

Alert Logic is upgrading the Log Review cases with new machine learning algorithms, which allows Alert Logic to deliver a higher level of security value. The Log Review algorithms can automatically detect many log-based anomaly types based on unique patterns and trends learned from your organization.

The Log Review output consist of anomalies generated from the machine learning based detection that are delivered as information-level incidents in the Incidents page. Alert Logic offers detailed reports of your anomalies generated with the machine learning Log Review algorithms in the evidence tab of the incident investigation report. For more information about the investigation report, see Investigation Report.

Log Review incidents are listed in the Monthly Log Review report. Sections of the Incident Daily Digest report also summarize anomalies raised based on customer-level, host-level, and user-level models.

Alert Logic analysts continue to oversee Log Review incidents, and the Log Review feature continues to meet your log review compliance requirements.

About machine learning based on Log Review process

The machine learning model-based Log Review is fast, efficient, and accurate, which increases the likelihood of detecting most anomalies through log data. The Log Review model can detect more than 100 anomaly scenarios based on time series, location, and unusual names. The machine learning models are computed based on specific logs customers sent to Alert Logic and are based on at least 90 days worth of data. Rule-based analytics can also trigger anomaly detections can also be triggered by rule-based analytics, which allows anomalies to be detected automatically and reliably, based on your patterns and trends.

Log Review examines security-related logs that alert you to potential security issues, and assists with compliance mandates. Log anomalies are automatically raised based on:

  • Unusual counts of certain events
  • Unique users accessing a host
  • Unusual or suspicious user names
  • Blacklists
  • User preference

Examples of log data that Alert Logic reviews are:

  • Windows: Failed logins, changes to privileges, changes to accounts, Active Directory global catalog changes, and others
  • Linux: Sudo access, SSH failed logins, switched user common success/fails, and others
  • AWS: MFA, security group changes, IAM, EC2, S3 changes, user account and access changes, network control changes, and others
  • Azure: Backup, user file access, user login activity, user network security events, OAuth2 grant activity, object access, user role modification activity, service principal activity, user file access, user group modification

The Log Review algorithm then observes and learns patterns and trends, and it automatically tunes itself for more accurate security content.

Log Review models and outcomes

The Log Review is based on three models:

  • Customer model: Tracks and learns from log data related to customer activity
  • Host model: Tracks and learns from log data related to host changes
  • User model: Tracks and learns from log data related to user activity

The Log Review outcomes include anomaly detections based on customer trends, anomalies based on user trends, and anomalies based on host trends. The following are anomalies that Alert Logic uses the following anomalies to generate incidents for all machine learning models:

Anomaly

Description

high-message-count

A spike in the number of log messages of a given type.

high-sourceuser-count

A spike in the number of unique source users for a given message type and host.

high-targetuser-count

A spike in the number of unique target users for a given message type and host.

high-sourcehost-count

A spike in the number of unique source hosts for a given message type and host or user.

high-targethost-count

A spike in the number of unique target hosts for a given message type and host or user.

unusual-name

A user name is different from the normal names encountered.

unusual-location

A host location is different from the normal locations encountered.

Alert Logic analysts also generate incidents based on pattern matching and rule-based detection based on your preferences. These include the following Windows administrator activities:

  • High log message count for Windows failed login
  • High log message count for Windows account changed
  • Total message count for Windows account changed

Observations

Alert Logic can note observations in incident investigation reports which provide other relevant security information. Observations identify security patterns and allow you to conduct threat hunting for activity that does not meet the criteria to become an incident, but can still demonstrate security value. The two types of observations are anomaly and suspicious pattern observations.

For anomaly observations, Alert Logic uses the following criteria to make note of this observation:

For high-message-count and high-user-count anomalies, the properties are:

  • Expected-count: the count of messages that the anomaly detector expected to see
  • Actual-count: the count of messages that the anomaly detector actually saw

For an unusual-location anomaly, the properties are:

  • Location: the anomalous location
  • Message-count: number of messages with anomalous location

For an unusual-name anomaly, the properties are:

  • Name: the anomalous name
  • Message-count: number of messages with anomalous location

For suspicious pattern observations, Alert Logic uses the following properties to make note of this observation:

  • Message-count: the number of messages that matched the pattern
  • Matched-patterns: the values that matched the pattern

Customer model

The (Undefined variable: ALVariables.Log Review feature) customer model includes anomalies based on customer trends of log message types for high overall count.

Model Anomaly Included details
Customer

high-message-count

Customer

Target

Time range

Log source

Customer ID and name

Message type (parser)

Implicated hosts

Implicated users

Expected count

Actual count

Host model

The (Undefined variable: ALVariables.Log Review feature) host model includes anomalies based on host trends of log message types for high count, unusual location, and unique users.

Model Anomaly Included details
Host

high-message-count

Time range

Log source

Customer ID and name

Message type

Host IP/name

Implicated users

Implicated event details

Expected count

Actual count

Host

high-sourceuser-count

high-targetuser-count

Time range

Log source

Customer ID and name

Message type

Host IP/name

Implicated users

Implicated event details

Expected count

Actual count

Host

unusual-location

Time range

Log source

Customer ID and name

Message type

Host IP/name

Implicated users

Implicated event details

Location

User model

The Log Review user host model includes anomalies based on user trends of log message types for a high overall count, and it includes anomalies regarding unusual names.

Model Anomaly Included details
User

unusual-name

Time range

Log source

Customer ID and name

Message type

User name

Implicated hosts

Implicated event details

User

high-message-count

Time range

Log source

Customer ID and name

Message type

User name

Implicated hosts

Implicated event details

Expected count

Actual count

User

high-sourcehost-count

high-targethost-count

Time range

Log source

Customer ID and name

Message type

User name

Implicated hosts

Implicated event details

Expected count

Actual count